Regulation S-P Establishes Data Breach Notification and Planning Requirements


Aaron Pinnick

Publish Date


Cyber Alert

  • Cybersecurity
  • SEC

On May 16th, the U.S. Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P. The amendments are intended to provide investors with greater privacy protections and transparency into data breaches by creating new requirements for how broker-dealers, investment companies, transfer agents, and registered investment advisers prepare for, respond to, and recover from data breaches and cybersecurity incidents that allow unauthorized access to sensitive customer information.

The SEC defines sensitive customer information as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”

Rule requirements

The amendments will require covered entities to:

  1. Establish an incident response program – The amendment will require firms to build and maintain written policies and procedures that are reasonably designed to “detect, respond to, and recover from unauthorized access to or use of consumer information.” This will include the creation of an incident response program that is able to assess the nature and scope of data privacy incidents as well as take appropriate action to contain and control the incidents.
  2. Adopt a process for incident notification – The incident response program will be required to notify all individuals that have been impacted, or could reasonably be expected to have been impacted by the incident, within 30 days of the incident being discovered. If the firm is unable to determine which individuals were impacted by the incident, the amendment requires that the firm notify all customers who could have been impacted by the incident.
  3. Make and keep compliance records – The amendments require covered entities (except funding portals) to document policies and procedures for Regulation S-P's requirements around the proper safeguarding and disposal of sensitive customer information.

One of the amendments also broadens the scope of information that is covered by Regulation S-P to include non-public customer information that is transferred to the covered firm via other institutions.

The rule will come into force 18 months after its publication in the Federal Register, and 24 months for smaller firms.

Our guidance

Many firms have very good cybersecurity programs, but they may not be well documented. This rule formalizes the SEC’s expectations around what they are looking for in a cybersecurity program. Firms should consider taking the following steps now to prepare:

  1. Review the firm's current incident response plan to make sure it complies with the rule’s requirements.
  2. Conduct tabletop/scenario exercises to ensure staff are aware of how to respond to incidents that expose non-public customer information.
  3. Ensure proper due diligence, monitoring, and oversight of vendors that have access to the firm’s sensitive customer information, and that the incident response program has built out the proper policies and procedures to support these activities.
  4. Establish and/or review the firm’s data classification policies to ensure data that meets the SEC’s definition of sensitive customer information receives the proper protection and is handled appropriately.
  5. Inventory the firm’s customer data to ensure the proper controls and safeguards for sensitive customer information are consistently applied, and to improve the speed at which the firm can potentially identify unauthorized access.

How we help

ACA Aponix® can help your firm build your cybersecurity program and strengthen your line of defense against cyberattacks. Our services include:

Reach out to your ACA consultant, or contact us to find out how ACA can help secure your firm against cyber threats and comply with regulatory expectations. 

Contact us